[From nobody Wed Apr 8 11:51:06 2026 Received: (at submit) by bugs.debian.org; 8 Apr 2026 08:27:47 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-116.6 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_PACKAGE, SPF_HELO_NONE,SPF_NONE,UNPARSEABLE_RELAY,USER_IN_DKIM_WELCOMELIST autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 12; hammy, 150; neutral, 98; spammy, 0. spammytokens: hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin, 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311, 0.000-+--H*RT:311, 0.000-+--H*RT:108 Return-path: <smcv@debian.org> Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:38136) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAOGI-005O11-2c for submit@bugs.debian.org; Wed, 08 Apr 2026 08:27:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Content-Type:MIME-Version:Message-ID: Subject:To:From:Date:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:In-Reply-To:References; bh=h7K1PWpgSCvofapInQCqrcnL1RsTRaNs3ST5CipT4AI=; b=CGUdhTbmktYluTXwXWB2lfr/j6 K76gDL8ItMCsZL/ypZKRz/0nyzB/5MBLmAxdRQNZl4Ww4X1sFVQvtYModij0RMyYhfUXC1AixYEj5 SZXc6McTBBCIB99uZx8GXcsUElHXOWBHce55l1iJ2vL0+u5J2zQ7il17E88MiPuK+wEtgdhn0+Obd ojU4iIazTQlx38Hs4bLKHKL1xCRz0V86jXj27PNdxkQJ/aXsmbgODZ4UGZ8KcSwkUvsqzJF9V7E33 CVY2662uC+sAY2DFHHKJUwwMB2sWHTEV4lZYfalGf/xs0iNFly7zHrws+KnBj3K0CrHE2DQPl3Gnk 5baBBdLg==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <smcv@debian.org>) id 1wAOGG-008I7n-2V for submit@bugs.debian.org; Wed, 08 Apr 2026 08:27:45 +0000 Date: Wed, 8 Apr 2026 09:27:42 +0100 From: Simon McVittie <smcv@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: xdg-desktop-portal: GHSA-rqr9-jwwf-wxgj: Race condition in trash portal vs. symlinks Message-ID: <adYRfgAIpPJuVYlX@definition.pseudorandom.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Reportbug-Version: 13.2.0 X-Debian-User: smcv Delivered-To: submit@bugs.debian.org Package: xdg-desktop-portal Version: 1.20.3+ds-3 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <team@security.debian.org> Forwarded: https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj xdg-desktop-portal's Trash portal allows sandboxed apps to ask for a file or directory to be moved to the trash. Similar to CVE-2026-34078 in Flatpak, a malicious or compromised Flatpak app could ask the portal to trash a file that it owns, then replace that file with a symlink in an attempt to cause the portal to trash the target of the symlink on the host system. I'm not sure what the severity of this would be considered to be, so I've reported it as RC for now, but please downgrade if RC is considered excessive. Currently no CVE ID has been allocated for this. I don't know whether upstream plans to request one. For testing/unstable, I'm preparing an upload of 1.20.4 now. For trixie, I think the easiest way to fix the vulnerability will be to backport 1.20.4 from testing/unstable, reverting any of the packaging changes in 1.20.3+ds-2 and 1.20.3+ds-3 that are felt to be inappropriate for a stable update. There are no changes between 1.20.3 and 1.20.4 other than those required to fix the vulnerability, but it adds a "copylib" subproject (libglnx, the same one used in Flatpak) to implement safe symlink traversal, so the diff is large. For bookworm, it'll have to be a backport of individual changes. I suggest prioritizing trixie > bookworm and flatpak > xdg-desktop-portal. experimental will remain vulnerable until 1.21.1 is released, or until I get a chance to convert the changes into patches, whichever is first. I'm hoping that 1.21.1 will be released today. smcv ]